On 2005/09/29, at 2:32, Ignacio Vazquez-Abrams wrote:
> On Thu, 2005-09-29 at 02:18 +0900, Moriyoshi Koizumi wrote:
>> On 2005/09/29, at 1:46, Ignacio Vazquez-Abrams wrote:
>>> On Wed, 2005-09-28 at 16:31 +0100, Craig Webster wrote:
>>>> checking if md5.h is derived from Cyrus SASL Version 1... no
>>>> checking for md5.h usability... no
>>>> checking md5.h presence... no
>>>> checking for md5.h... no
>>>
>>> This is *STILL* not fixed?! It was reported in 0.6 by two people
>>> independently 3 months ago and it's still a problem? Why hasn't this
>>> issue been dealt with yet?
>>
>> Because I didn't reproduce the exact problem they were experiencing
>> and I thought the cause would most likely be some oddities in each
>> environment.
>>
>> I've been testing on the 7 major different platforms / distributions
>> (MacOSX, Debian GNU/Linux, Fedora Core, NetBSD, FreeBSD, OpenBSD and
>> Solaris) with different configurations, and they just worked fine.
>
> Did you remember to remove the cyrus-sasl-devel package so that you
> don't get a false negative?
If you don't specify --with-cyrus-sasl, the packages are basically
ignored. The outputs are a bit confusing though.
Moriyoshi

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
The previous mail is accidentially posted to the list with
the wrong mail address I usually use for my work, so I'd like to
send the same again. Please don't reply to the previous one.
Sorry for cluttering.
- -----------------------------------------------------------------------
The PAM-MySQL project has announced the newest versions of the
product are now available for downloads.
The new releases include a couple of crucial security fixes.
Users are strongly encouraged to upgrade to either version immediately.
We apologise for the inconvenience caused by these issues.
Addressed security concerns:
* Possible segmentation fault in the SQL logging facility, which can
cause Denial-of-Service (DoS).
* Flaws in the authentication and authentication token alteration code
where incorrect treatment of the pointer returned by pam_get_item()
were spotted. They can most likely induce DoS or possibly lead to
more severe problems.
Changes:
* Changed handling of the "where" option to not escape meta characters
(PR #1261484). (0.7pre3)
* Overhauled the SQL logging facility (PR #1256243). (0.6.2, 0.7pre3)
* Added logrhostcolumn (log.rhost_column) option that enables you to log
the value of the "rhost" item specified by the application. (0.7pre3)
* Fixed possible security flaw (though not considered to be severe).
(0.7pre3)
* Fixed memory leaks spotted when "config_file" option is used.
(0.7pre3)
* Fixed try_first_pass behaviour. (0.7pre3)
* Changed option parsing behaviour so "=" following each option name is
not
needed. (0.7pre3)
You can download either one from the following URL:
http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.6.2.tar.gzhttp://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7pre3.tar.gz
Regards,
Moriyoshi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
iD8DBQFDOuOICt6YWtcDG2cRArUDAKCw7LmSwbHlusA1SEGeEzsI7YxM7QCeIHwg
yZP+HmVmCaOCo2H6MUmZpMU=
=Z1td
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
The PAM-MySQL project has announced the newest versions of the
product are now available for downloads.
The new releases include a couple of crucial security fixes.
Users are strongly encouraged to upgrade to either version immediately.
We apologise for the inconvenience caused by these issues.
Addressed security concerns:
- - Possible segmentation fault in the SQL logging facility, which can
cause Denial-of-Service (DoS).
- - Flaws in the authentication and authentication token alteration code
where incorrect treatment of the pointer returned by pam_get_item()
were spotted. They can most likely induce DoS or possibly lead to
more severe problems.
Changes:
* Changed handling of the "where" option to not escape meta characters
(PR #1261484). (0.7pre3)
* Overhauled the SQL logging facility (PR #1256243). (0.6.2, 0.7pre3)
* Added logrhostcolumn (log.rhost_column) option that enables you to log
the value of the "rhost" item specified by the application. (0.7pre3)
* Fixed possible security flaw (though not considered to be severe).
(0.7pre3)
* Fixed memory leaks spotted when "config_file" option is used.
(0.7pre3)
* Fixed try_first_pass behaviour. (0.7pre3)
* Changed option parsing behaviour so "=" following each option name is
not
needed. (0.7pre3)
You can download either one from the following URL:
http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.6.2.tar.gzhttp://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7pre3.tar.gz
Regards,
Moriyoshi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
iD8DBQFDOuH3Ct6YWtcDG2cRAgOHAKCUhxMCJib4Fe/L/OkcrYAeuvdE4ACgn8rR
0v6Y2S3v2lOe6RmKZPKARcc=
=vigR
-----END PGP SIGNATURE-----

On Thu, 2005-09-29 at 02:18 +0900, Moriyoshi Koizumi wrote:
> On 2005/09/29, at 1:46, Ignacio Vazquez-Abrams wrote:
> > On Wed, 2005-09-28 at 16:31 +0100, Craig Webster wrote:
> >> checking if md5.h is derived from Cyrus SASL Version 1... no
> >> checking for md5.h usability... no
> >> checking md5.h presence... no
> >> checking for md5.h... no
> >
> > This is *STILL* not fixed?! It was reported in 0.6 by two people
> > independently 3 months ago and it's still a problem? Why hasn't this
> > issue been dealt with yet?
>=20
> Because I didn't reproduce the exact problem they were experiencing
> and I thought the cause would most likely be some oddities in each
> environment.
>=20
> I've been testing on the 7 major different platforms / distributions
> (MacOSX, Debian GNU/Linux, Fedora Core, NetBSD, FreeBSD, OpenBSD and
> Solaris) with different configurations, and they just worked fine.
Did you remember to remove the cyrus-sasl-devel package so that you
don't get a false negative?
--=20
Ignacio Vazquez-Abrams <ivazquez@...>
http://fedora.ivazquez.net/
gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72

On 28 Sep 2005, at 17:46, Ignacio Vazquez-Abrams wrote:
> This is *STILL* not fixed?! It was reported in 0.6 by two people
> independently 3 months ago and it's still a problem? Why hasn't this
> issue been dealt with yet?
To be fair, we're getting a very useful product for free.
Gentoo doesn't even have 0.6 in the ~x86 tree yet! :(
If I get time (and can get it working) I'll try to make an ebuild for
PAM-MySQL 0.7.
Yours,
Craig
--
Craig Webster | t: +44 (0)131 516 8595 | e: craig@...
Xeriom.NET | f: +44 (0)709 287 1902 | w: http://xeriom.net

On 2005/09/29, at 1:46, Ignacio Vazquez-Abrams wrote:
> On Wed, 2005-09-28 at 16:31 +0100, Craig Webster wrote:
>> I have just tried all of the following
>>
>> ./configure --with-openssl=/
>> ./configure --with-openssl=/usr
>> ./configure --with-openssl=/usr/include
>> ./configure --with-openssl=/usr/include/openssl
>>
>> but I still get the lines:
>>
>> checking if md5.h is derived from Cyrus SASL Version 1... no
>> checking for md5.h usability... no
>> checking md5.h presence... no
>> checking for md5.h... no
>
> This is *STILL* not fixed?! It was reported in 0.6 by two people
> independently 3 months ago and it's still a problem? Why hasn't this
> issue been dealt with yet?
Because I didn't reproduce the exact problem they were experiencing
and I thought the cause would most likely be some oddities in each
environment.
I've been testing on the 7 major different platforms / distributions
(MacOSX, Debian GNU/Linux, Fedora Core, NetBSD, FreeBSD, OpenBSD and
Solaris) with different configurations, and they just worked fine.
Regards,
Moriyoshi
>
> --
> Ignacio Vazquez-Abrams <ivazquez@...>
> http://fedora.ivazquez.net/
>
> gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72

On Wed, 2005-09-28 at 16:31 +0100, Craig Webster wrote:
> I have just tried all of the following
>=20
> ./configure --with-openssl=3D/
> ./configure --with-openssl=3D/usr
> ./configure --with-openssl=3D/usr/include
> ./configure --with-openssl=3D/usr/include/openssl
>=20
> but I still get the lines:
>=20
> checking if md5.h is derived from Cyrus SASL Version 1... no
> checking for md5.h usability... no
> checking md5.h presence... no
> checking for md5.h... no
This is *STILL* not fixed?! It was reported in 0.6 by two people
independently 3 months ago and it's still a problem? Why hasn't this
issue been dealt with yet?
--=20
Ignacio Vazquez-Abrams <ivazquez@...>
http://fedora.ivazquez.net/
gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72

Hi,
> How did you get your OpenSSL installed?
I'm a Gentoo user so
ACCEPT_KEYWORDS="~x86" emerge -va openssl
> Try /usr/local and /usr/local/ssl eitherway.
Thanks. Will try these locations tonight when the machine is a little
quieter.
> >checking if md5.h is derived from Cyrus SASL Version 1... no
> >checking for md5.h usability... no
> >checking md5.h presence... no
> >checking for md5.h... no
>
> These lines report the availability of md5.h from Cyrus SASL.
> You won't see anything about the individual header files if
> OpenSSL is chosen.
Ah okay. Is the only indicator of it working with md5.h from OpenSSL the
lack of error messages in the log file then, or is there another way to
find out if it's picked up this file?
Yours,
Craig
--
Craig Webster | web: http://xeriom.net/
Xeriom.NET | tel: +44 (0)131 516 8595

> I have just tried all of the following
>
> ./configure --with-openssl=/
> ./configure --with-openssl=/usr
> ./configure --with-openssl=/usr/include
> ./configure --with-openssl=/usr/include/openssl
How did you get your OpenSSL installed?
Try /usr/local and /usr/local/ssl eitherway.
> but I still get the lines:
>
> checking if md5.h is derived from Cyrus SASL Version 1... no
> checking for md5.h usability... no
> checking md5.h presence... no
> checking for md5.h... no
These lines report the availability of md5.h from Cyrus SASL.
You won't see anything about the individual header files if
OpenSSL is chosen.
> It's OpenSSL 0.9.7g -- could this be the problem?
I don't think that could be the problem.
Regards,
Moriyoshi

Hi,
Thanks for your swift reply.
> You need to specify the install prefix of the library rather than
> the location of the headers. (e.g. --with-openssl=/usr)
> >have also tried with just /usr and /usr/include but configure refuses
> >to
> >pick up the file.
I have just tried all of the following
./configure --with-openssl=/
./configure --with-openssl=/usr
./configure --with-openssl=/usr/include
./configure --with-openssl=/usr/include/openssl
but I still get the lines:
checking if md5.h is derived from Cyrus SASL Version 1... no
checking for md5.h usability... no
checking md5.h presence... no
checking for md5.h... no
It's OpenSSL 0.9.7g -- could this be the problem?
Are there any other details that I can add which will help?
Thanks,
Craig
--
Craig Webster | web: http://xeriom.net/
Xeriom.NET | tel: +44 (0)131 516 8595

Hallo!
I have to hide database user and his password used for authorisation in
database server.
In default configuration, they are stored in pam configuration files in
clear text, so when workstation is booted up from CD-ROM or floppy, they
can be easly read from config files.
I couldn't guarantee physical security of workstation and/or that some
user steal workstatin MAC and connect his own computer as workstation (so
authorisation via workstation address is not good idea).
Is there any method for safe storage of database authentication
information, that prevents from stealig database user and password?
Maybe there is a place for daemon similiar to rpc.yppasswdd (and program
yppasswd) used by NIS to change user's password safely - usually servers
has guaranteed physical security and nobody tries to boot them up from
floppy or CD-ROM to get root access to their disks.
Regards,
Wojtek
--
Wojciech 'Wheart' Penar
e-mail: wheart@...

Hi,
You need to specify the install prefix of the library rather than
the location of the headers. (e.g. --with-openssl=/usr)
Regards,
Moriyoshi
On 2005/09/28, at 23:05, Craig Webster wrote:
> Hi List,
>
> I'm trying to configure Pam-MySQL 0.7pre2 so that I can use the MySQL
> MD5() crypt option however when I configure it as described in the docs
> (--with-sasl2=/usr/include/sasl2 OR
> --with-openssl=/usr/include/openssl)
> it fails to find md5.h.
>
> I have confirmed that md5.h exists in both these directories and have
> even tried using both flags at the same time in an act of desperation.
> I
> have also tried with just /usr and /usr/include but configure refuses
> to
> pick up the file.
>
> What am I doing wrong?
>
> This request has been mirrored at
> http://sourceforge.net/tracker/index.php?
> func=detail&aid=1299165&group_id=5741&atid=205741
>
> Thanks in advance,
> Craig
> --
> Craig Webster | web: http://xeriom.net/
> Xeriom.NET | tel: +44 (0)131 516 8595
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Pam-mysql-general mailing list
> Pam-mysql-general@...
> https://lists.sourceforge.net/lists/listinfo/pam-mysql-general
>

Hi List,
I'm trying to configure Pam-MySQL 0.7pre2 so that I can use the MySQL
MD5() crypt option however when I configure it as described in the docs
(--with-sasl2=/usr/include/sasl2 OR --with-openssl=/usr/include/openssl)
it fails to find md5.h.
I have confirmed that md5.h exists in both these directories and have
even tried using both flags at the same time in an act of desperation. I
have also tried with just /usr and /usr/include but configure refuses to
pick up the file.
What am I doing wrong?
This request has been mirrored at
http://sourceforge.net/tracker/index.php?func=detail&aid=1299165&group_id=5741&atid=205741
Thanks in advance,
Craig
--
Craig Webster | web: http://xeriom.net/
Xeriom.NET | tel: +44 (0)131 516 8595

Hello all,
First of all I must say that I'm not very familiar with the PAM-internals.
I've faced problem when tried to configure OpenSSH server
(FreeBSD-5.3) with pam_mysql (0.7pre2).
Here is the piece of /etc/pam.d/sshd:
auth sufficient pam_mysql.so user=...
auth required pam_unix.so no_warn use_first_pass
It works just fine when user's password is stored in the mysql-database, but
fails when user has no password in the mysql, but has it in the unix
shadow-file (root-password for example).
I've found this code in the pam_mysql.c:
switch (pam_mysql_check_passwd(ctx, user, passwd,
!(flags & PAM_DISALLOW_NULL_AUTHTOK))) {
case PAM_MYSQL_ERR_SUCCESS:
retval = PAM_SUCCESS;
break;
case PAM_MYSQL_ERR_NO_ENTRY:
retval = PAM_USER_UNKNOWN;
goto out;
case PAM_MYSQL_ERR_MISMATCH:
retval = PAM_AUTH_ERR;
goto out;
case PAM_MYSQL_ERR_ALLOC:
retval = PAM_BUF_ERR;
goto out;
default:
retval = PAM_SERVICE_ERR;
goto out;
}
(void) pam_set_item(pamh, PAM_AUTHTOK, passwd);
out:
if (passwd != NULL) {
xfree_overwrite(passwd);
}
But in this case the authtoken wouldn't be passed to the next module
in the chain unless PAM_MYSQL_ERR_SUCCESS is returned. Is it right?
--
Regards,
Stefan

Hello,
I'm trying to auth users based on their domain name. In my database,
domains are separated in two fields, one for domain and one for tld.
So I use this for username :
usercolumn=CONCAT(domaines.domaine,'.',domaines.tld)
But mysql_escape_string() replace the ' by \' so the request made to
MySQL ins't correct :
cat /var/log/auth.log
Sep 13 09:41:55 ron login[10400]: pam_mysql - SELECT 1, pass FROM
domaines WHERE CONCAT(domaines.domaine,\'.\',domaines.tld)
Sep 13 09:41:55 ron login[10400]: pam_mysql - MySQL error (You have an
error in your SQL syntax. Check the manual that corresponds to your
MySQL server version for the right syntax to use near
'\'.\',domaines.tld) = 'asylog'' at line 1)
I tried to comment the lines calling mysql_escape_string() in
pam_mysql_quick_escape() but I have a seg fault (probably due to the
lack of \0 at end of the char).
How may I do this ?
Thanks,
Julien Escario

Zitat von Moriyoshi Koizumi <moriyoshi@...>:
> See http://pam-mysql.sourceforge.net/News/00003.php
>
> Moriyoshi
Thanxs for the answer. Is there any workaround to get started?
Upgrading the MySQL DB is unfortunately no option at the moment as it is used
for other purposes too.
Regards
Andreas

Hello
i tryed to use the 0.6 release of pam-mysql from source on SuSE 9.0. But after
working some time the configure command rise the error message
"sed: file ./<some-random-filename> Line 39: Unterminated 's' command" and no
Makefile is created.
The installed sed version is "GNU sed version 4.0.6".
Thanxs for any help
Andreas